Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

ThePretender writes "From the Infoworld article, 'Open Source Risk Management LLC (OSRM), a startup company that last month hired Pamela Jones, editor of the popular Groklaw.net Web site, as director of litigation risk research, plans to soon begin offering insurance policies to companies using open source software but fear that they may be sued, according to a company spokeswoman'. What's next - Developers having to pick up 'code malpractice' insurance? Egads." Might as well get some alien abduction insurance while you're at it.

What's next - Developers having to pick up 'code malpractice' insurance? Egads.

They already have it. The agency I work for has several carriers that will write a malpractice (officially called "Professional Liability") policy for computer nerds. The standard one that I've seen provides a million dollars of coverage in the event that you screw up and cause something like data loss or the like. The policy itself is pretty broadly worded and could cover everything from bugs in a program you wrote to a general mistake of stupidity dealing with media. As I recall they start at about $1,200+ a year depending on the type of business and the people involved.

All insurance really does is protect you from losses that you couldn't (or don't want to) afford. The comment from the summary sounds sarcastic (as well as the "throw-your-money-away dept." tagline) but in reality in this sue happy world these types of policies are not a bad idea. Do you want to lose your business and livelihood over an honest mistake and some sue happy customer? A few hundred or thousand bucks for peace of mind is a small price to pay in this day and age.

I'm no legal expert, but couldn't all of this be avoided with a proper disclaimer in the licence for the software?

And in theory you can prevent people from suing you if you put up a "Beware of Dog" sign or a "Private Property" sign. In reality you'll always find some clever lawyer or easily-swayed jury that rules the other way.

Are you going to trust the future of your business and life to a disclaimer?

No, that's wrong. You can never stop people from suing you. By placing a "beware of dog" sign, you are making sure that people will know there's a dog before doing something stupid like sticking their arms in. In other words if the sign is there and someone sues you because your dog bite him, you are probably going to win, but if the sign was there, you would probably be found guilty.

A disclaimer is no different. You are just letting people know about the degree of support you are offering to them befo

In reality you'll always find some clever lawyer or easily-swayed jury that rules the other way.

Without even going that far, the act of being sued can be devastating, even if you just fight for a year and then they back off and it never really goes to trial.

Let's say a hundred bucks or so every time your lawyer picks up the phone. Several hundred for a letter. A grand for a simple motion. A couple months of just futzin' around and the legal bills can add up in a hurry.

I know of a judge who treats every petty charge as if it were a federal case. Really comes down hard on everyone, right down to a simple parking violation. And yet if you look at his conviction records they're no different than average.

When asked what gives he said, " I make them have to get a lawyer. Now that is punishment."

It isn't usually losing a suit that hurts. It's simply being involved in one. You have to get a lawyer. And anyone can sue you over damned near anything.

The quick honest answer is that you can't, and even lawyers depend upon other lawyers to defend themselves.

You can acquire a certain facility with the law, in some cases of specific law even a superiour facility than the legal general practitioner. This will allow you, at least, to do a reasonable job of arranging settlements and plea bargains, although not generally quite as good as you could obtain with a lawyer.

If only because the lawyer has a professional acquaintence with the judge and DA. They have

And in theory you can prevent people from suing you if you put up a "Beware of Dog" sign or a "Private Property" sign. In reality you'll always find some clever lawyer or easily-swayed jury that rules the other way.

Are you going to trust the future of your business and life to a disclaimer?

" I'm no legal expert, but couldn't all of this be avoided with a proper disclaimer in the licence for the software?"

ABSOLUTELY NOT! Trust me on this one. Insurance is about having a guy on your side with a team of experienced lawyers. That is what it is for. If you don't have that, they can skin you alive. Because of some bad advice I got from my insurance broker, I spent over $100,000 on attorneys fees for a case that a jury would have laughed out of court. But that's the rub: the plaintiff's lawyers make it as expensive as possible to get to court, and even there you better be good looking and well spoken or the jury might decide to split the difference. Heck, with all those big words getting thrown around, you could lose because a single juror misunderstood something trivial.

The reality is that there is no justice for a small business standing alone. Lawyers are sharks and you are penguins. Tasty, tasty, defenseless penquins. They know they can wear you down, because there is nothing you can do to stop them. You can't represent yourself, because one mistake in filing means you lose the whole case and your house, savings and life goes down the tubes.

Despite the above, I'm not really bitter. It's over and I'm glad it is over. But I really understand the need for insurance now, which is to bring your own personal shark to the party...

in my experience (AM/FM GIS industry) a software consulting firm typically can't even bid a job without certification of insurance. I don't know how it is in other insutries however, but it is normal practice for large utility corporations.

$1200 per year? Zow! I'm starting a job in Canada, and they're bringing me in as a contractor at first for immigration purposes, and I'm on the hook for a million loonies worth of liability, too. But in Canada, a million dollar liability policy runs about $150 CDN per year....

All insurance really does is protect you from losses that you couldn't (or don't want to) afford. The comment from the summary sounds sarcastic (as well as the "throw-your-money-away dept." tagline) but in reality in this sue happy world these types of policies are not a bad idea. Do you want to lose your business and livelihood over an honest mistake and some sue happy customer? A few hundred or thousand bucks for peace of mind is a small price to pay in this day and age.

The insurance cycle feeds itself. You're more likely to sue if you think you'll get a big payoff. Since your now more likely to get sued, you're more likely to get insurance.

My personal solution (see this post [slashdot.org] of mine under a different thread) would be for the Insurance companies to stand up to the bogus lawsuits and fight them instead of settling. Of course they won't do this because it would cost more to fight then it would to settle -- so the cycle continues.

I'm not sure on US law, but in Oz it is "Public Liability" and "Professional Indemnity".

They are two distinct areas of insurance. Public is to protect you if a visitor (non-employee) trips over in your office and breaks a leg. Professional is for when you fsck up (as parent said - data loss, etc).

That said, when I was establishing my IT company it was astounding how many traditional insurance firms would outright refuse to insure us. They wouldn't demand overzealous premiums, but flatly refuse to insu

What's next - Developers having to pick up 'code malpractice' insurance?

I am in consulting and guess what, insurance to protect me in case of a damage causing programming error starts at over $2,000 a year! And for good reason, imagine you write something that rounds up instead of down in the hundredths place for some output from a data generatng monte carlo. It could go unnoticed for months, and then tens of millions of records in a database could need to be checked and recalculated. That would be HU

For the most part, the insurance industry is highly competitive. Anyone who charges too high a rate gets dumped for a cheaper alternative. A mature insurance industry can accurately price risk. This will be a good way to protect yourself and for skittish management types this is an effective way to allay their fears for a reasonable cost. Should any IP issues arise, you know you are covered and the insurance company will pay out to fix your problems.

And for good reason, imagine you write something that rounds up instead of down in the hundredths place for some output

... and the program goes nuts and you suddenly have hundreds of thousands of dollars in your account that you can't explain, and you're probably headed to Federal PMITA prison, and to top it all off you find out that Lumberg f*cked her. THAT's when you need insurance my friend.

Yes, I'm surprised everyone's making a fuss about it. We've carried it when we had 32 staff, and we still carry it now that we're down to 3 (full timers). It was 12k for the full load, and now it's under 4k (all CDN).

We've done work for IBM and other large institutions and all of our contracts with our clients carry indemnification and insurance and other liability clauses. It's just the normal course of business.

Doesn't sound like a place I'd want to work. What happens when SCO gets swept back under the rug? I realize that some businesses may want the security of having this, but I would think that a more general insurer would be able to take care of that. This seems way too specialized for a niche that I'm not convinced exists, or, if it does, that will last.

Unless the insurance premium is kept low - it could be low now, but we only need a couple of alligation to push up the premium - eventually, only big development houses can afford such insurance, and what are part-time freelance developers going to do?

The main problem is, when you have such 'standard protection' for malpractice, consumers want to see that you're insured.

- You buy a jar of mayonnaise made by Kraft- Kraft gets sued by SCOMayo (whatever) for infringing on one of their patents on how to make mayonnaise that stays fresh for up to 12 months and loses- SCOMayo now sues everyone who ever bought and stored the patent-infringing mayonnaise from Kraft and demands additional $6.99 for every jar of mayonnaise purchased?

IANAL, so I don't understand how this works. Can SCOMayo sue individual people and sandwhich shops, fast foods and restaurants for patent infringement? If so, maybe they should start selling indemnification insurance at the supermakets as well for an extra $0.99 per item ($0.88 at Wal-Mart)?

On a more technical side, would this mean that because I own 3 nVidia video cards I may get sued by ATI and I need insurance just in case? Where and how is this line drawn, if there is one?

You are in no way responsible for the use of code that someone else has stolen. If I steal some code from a company and then put it on the net and you use it, the company I stole it from can go after me and possibly people who were making and distributing CDs with this code on (I think only if they could prove that they knew the code was stolen and kept on distributing) but they can't go after you unless you continue to use the code after they have notified you it was stolen (and I think even that one would

It's too bad. I read the headline and immediately thought of a comment I posted [slashdot.org] last November.

Seems this is nowhere near the same thing. I proposed insuring people against the cost of fixing a bug in open software. This, OTOH, is simply litigation risk management. Feh. Well, still a fairly good idea, I suppose. It just doesn't strike me as being terribly constructive.

If the code was open source though, who do you go after? The people profiting from it - the end user.

Using what legal principle? What did the "user" do wrong? You can surely go after people who copied and redistributed the code without permission, people who entered into a contract with you and violated it, but how can you "go after" anybody else?

Is your ATI or nVidia video card insured in this way? You know, just in case they go after each other and start suing each others' customers? How about your soun

Not really. Software insurance doesn't fix any of the bugs that may be encountered, and shit^H^H^H^Hbugs happen. Your customer won't really benefit either. If they had a choice, they'd rather have less buggy code, than have a loss that they have to claim against. So they get some $$$ off your insurer. It still has to be fixed. Who are they gonna call? You? No, they've put you out of business, since now you can no longer get insurance. So they have to call someone who doesn't understand the code to fix it. S

"Software insurance doesn't fix any of the bugs that may be encountered, and shit^H^H^H^Hbugs happen"...

Man, I can't wait until Software Engineering actually becomes a more professional practice. Imagine what would happen if all engineering degreed people in the world said things like "shit happens" when something went wrong. While we all know shit really DOES happen, there is no place other than software design where that answer seems like a normal thing. Every other discipline does everything they

Given she now has a good job which will be taking a lot of her time and which should be paying real money, she probably won't be for much longer.How much mileage has the SCO story got left anyway? A good time to get out:-)

I believe she's stated many times that when the SCO case blows over (and SCO blows up and McBride and Co. dry up and blow away) she wanted the site to evolve into a forum for open source and free software legal issues. As far as getting out, I don't think she's ever said that.

Why just open source companies? If Microsoft screws up, they're not exactly going to be backing you up if you delivered a product using their software. (In the EULA, their liability is usually limited to what you paid for their software or $10.)

You have SCO, planning to sue everyone on the face of the Earth until they can collect a "license fee" on every *NIX system, including Linux and BSD. You have patents being granted on new inventions like "use the Internet to sell things". And you have vendors of proprietary software becoming increasingly nervous about the competition from free software; they might decide to play the lawsuit card.

It's not unthinkable that a company would sue end-users directly to "make an example" out of them; SCO already did just that, to AutoZone and DaimlerChrysler.

There are legal threats out there. Insurance against them isn't silly.

Hardly a day goes by that there isn't a story on/. about some company using the legal system as a legal extortion scheme. This sounds like a step in the right direction, although I want it to cover any lawsuit, not just open source libality. If companies knew that they had a real fight comming, they might not be so sue happy. I'd like to see a $300,000 policy which covers just the litigation costs (not damages if you lose) and has about a $5-10,000 deductible. Oh, and I want the premium to be about $25

If companies knew that they had a real fight comming, they might not be so sue happy. I'd like to see a $300,000 policy which covers just the litigation costs (not damages if you lose) and has about a $5-10,000 deductible.

Virtually all kinds of liability coverage include your legal defense. If you get sued for a million bucks your insurance company is going to defend you to the utmost -- and they typically have better lawyers then you or I have access to.

The company I work for got "the letter" from SCO, and we have now had a second linux-based project shot down due to SCO's FUD working. This is frustrating, to say the least, when the appropriate technical situation is being held hostage by SCO.

If we could buy insurance against the near-zero chance that SCO could be successful, we might be able to get these projects going in the direction that makes technical sense, and stop worrying about (insert rant about McBride and company here).

What's next - Developers having to pick up 'code malpractice' insurance?

Sounds great to me. Every place I've ever done contract programming for has a clause in their contract that basically says, "If somebody sues us, they sue you." Some of them are nicer about it, and pretty much just require you to appear in court if there's ever a problem. Others want you named as a defendant. Saying "don't screw up" wouldn't make me feel as comforted as a good insurance policy -- if such a thing exists?

I don't see why there is such a negative response to this post. I would bet that many if not most of the companies who paid SCO licensing fees would have opted for this deal instead, had it been available, leaving SCO with a lot less money for frivolous lawsuits. In fact, it wouldn't just take money away from SCO--it would give it to the other side. Any company offering open source insurance would have a huge financial interest in fighting a company like SCO, giving the open source movement some much need legal muscle. If insurance like this got more popular, it could seriously weaken SCO's business model.

Is it just me, or is anyone else worried about the incentive structure this sets up?

I mean, now an unscrupulous open source developer could intentionally insert some blatantly stolen code, claiming it's their own; some in-cahoots business with a copyright on the code can take everyone to court; the insurance will have to pay out big time, and the company slips a million to the asshole developer under the table.

The Open Source movement gets a bunch of bad PR, the code needs an emergency re-write, some scoundrels make a killing, and the insurance company rethinks its business model.

I know insurance investigators can go about investigating and trying to stop this from happening, but it seems like a very hard thing to prove, as along as the payment to the programmer is channeled very secretly.

As a business decision, it now looks dangerous to buy an SCO-licensed product. Where's your protection if SCO goes under? Do you have source code? Do you have source code escrow? Do you have insurance against vendor bankruptcy?

It's a very real issue. Misery is being dependent on software from a failed vendor.

SCO believes that its $699 per processor Intellectual Property License for Linux, however, is a better idea. "Ours is certainly the most reasonable way to go and certainly the safest way to go," he said.

How would you figure out how much money would be necessary to back these policies? If you believe that the risk is zero, and they don't need money, then the business becomes a confidence scheme. If you believe that the risk isn't zero, you need something to back it up.

On top of that, if you insure people against auto accidents, or serious diesease, you can assume that everyone won't get hit at the same time. But if it turned out that running linux exposed you to liability, then all of the policy holders would have to be paid off at once. In other words, there's no way the premiums would be able to cover it.

I'm not an actuary or an insurance expert, so maybe I don't understand what's going on. But it doesn't smell right to me.

This summer I had the opportunity to work for BlackDuckSoftware.com [blackducksoftware.com]. Black Duck has built software to help developers (from individuals to large corporations) manage their use of open source software. Essentially, the software enables firms to track the usage of open source code, determine conflicts (if any) and suggest methods of compliance. It takes into account methods of combining code, whether the code is for internal use or public distribution, any number of other considerations that involve open source license compliance. It is able to deal with code licensed under *all* of the certified open source licenses [opensource.org] as well as many other proprietary licenses.

While it is not insurance, and does not provide any kind of indemnification, it is a damn good management tool. Its goal is to allow companies to make use of open source code in such a way that full compliance is facilitated, and to avoid any uh-oh moments that happen after code is commerically released.

I worked on the development of the license interpretation module. It involved reading (and re-reading) 50+ licenses and parsing their terms such that compatibility determinations and compliance requirements could be generated for every possible combination of license, code, distribution, concatenation, link, modularization, etc. of a software product. It was exhausting (and sometimes tedious) work, and it certainly made it easy to tell which licenses were written by lawyers, which by coders, and which were written with input from both. It gave me new understanding of why unenlightened legal departments sometimes shy away from open source. Nonetheless, the reality is these licenses exist, are in use today, and are all valid until some court says otherwise. Licensors (i.e. coders in the community) have every right to expect their terms to be adhered to.

Being a geek myself, and a law student, it was pretty gratifying to see that a company wanted to build a product that helped managers to understand and not fear the open source phenomenon. Further, I think the product will really help firms stay fully compliant when they decide to use open source code. And that, in the end, is all our community can ask for.

Regular readers of Groklaw have a pretty good idea what PJ thinks of SCO's chances with their various lawsuits. I see a couple of different reasons why PJ and Bruce Perens would both (RTFA) be in on this:

1) Our dear friend Darl has made threatening noises with regard to Groklaw being on the side of whoever SCO is suing this week (e.g., IBM, Red Hat, Novell, Autzone, etc.). OSRM may provide PJ and the rest of the Groklawyers with a corporate vehicle to continue doing exactly what they've been doing without fear that Darl can go after PJ (in particular but also anyone else who contributes) in some sort of malicious (big $ personal lawsuit) way. SCO has amply demonstrated that their response to anyone who opposes them is to file a lawsuit (See SLAPP).

2) You will note that the first activity of this insurance company doesn't seem to be trying to sell an insurance policy. Its to offer a class "...on how best to mitigate the risk of using open source software". Any bets that a lot of that class will be on how to file the right paper work to legally tell SCO to go find an alien who can probe them until the existing SCO litigation is cleared up including deciding if SCO really does own the copyrights to UNIX? (Maybe Darl should look into that alien abduction insurance.)

This sounds like a hoax to me. PJ continues to post articles to Groklaw so I don't think she's the former editor. I also haven't heard anything about this venture from there, nor has she been particularly enthusiastic for OSS indemnification in the past.

I could be wrong, but for the moment, I'll hold off taking them seriously.

Get a group of a couple hundred people together - all within a couple of degrees of eachother. Blue book eachothers cars - then all pay into an investment fund a set rate each month for auto or other insurance. Not into an insurance policy with some other carrier - but an actual investment/savings fund.

Take an umbrella policy out on the whole investment for an extreme case, and pay for that policy out of the combined account. If there is an accident that requires payment over a certain percentage of the value of the fund - then you leverage the policy from some insurance carrier that you have purchased. But, if at the end of the year there are no accidents - the investment OSI can pay a dividend on the money paid in and invested.

All other insurance companies operate this way - but here is a community based insurance. The big guys are just investment companies that take otehr peoples money to invest with in leiu of paying them off if something should happen to them or the property that they are esentially using as an asset backing to the investment. In the sense that the maintaining of the well-being of the object is the incentive for the person to pay to insure its well-being. and in the case of auto insurance - this investment revenue is guarenteed by law.

You must have insurance on your vehicle regardless of whether you have been in an accident. and if, at the end of the year - you dont get into an accident - you do not get any return on your contribution to the insurance companies investment.

"If you are thinking about working in the law of free software, and gosh, I hope you are, one of the things you might want to be thinking about working on is the software conservation trusts that are going to be growing up around this economy in the next five years. I'll help you make one, or you can come to work in one of mine. We're going to need to spend a lot of time doing work which is associated with trustees. We're going to be spending a lot of time making sure that things are put together and they are built well. And we are going to be doing that on behalf of a third-party insurance industry which is going to be growing up, is growing up before our very eyes now, which is learning that it really cares how the free software is assembled."

I've been getting inundated with email, asking if Groklaw will be shutting down, thanks to an article in InfoWorld that identified me as the "former editor of Groklaw". That is inaccurate. I am still the editor of Groklaw, and my work with OSRM is separate from it. My contract is written so as to ensure my having time to do Groklaw. I have always done paid work in addition to Groklaw, so this isn't anything new.

The article said that SCO didn't sound displeased to hear the news. Not that I wish to throw cold water on anyone's pleasure in Lindon or anything, but Groklaw isn't going anywhere.

That's somewhat of a ridiculous comparison. If you're going to compare OSS and closed source methodologies, you should not do the equivalent of comparing a teen garage band with the New York Philharmonic. A better comparison would be "enterprise" closed source, versus open source that has a lot of manpower behind it.

The open source that tends to get used the most is the stuff that has a strong userbase and active developers. The 14-year-old-written "this is l33t so I wrote it, visit my blog d00d!@!@!!" kin